This study systematically exposes the persistent threat posed by malicious browser extensions targeting Firefox and Chrome in 2025, revealing structural weaknesses in the review mechanisms of Mozilla Add-ons Store and Chrome Web Store that remain exploitable. Methodologically, we introduce a behavior-chain modeling framework integrating dynamic reverse engineering, API abuse testing, audit-process penetration simulation, and sandboxed behavioral monitoring—enabling, for the first time, empirical reproduction of a cross-platform dual-store review bypass. Our experiments successfully deployed twelve high-risk payloads—including payment hijacking, covert cryptocurrency mining, and cross-origin credential exfiltration—demonstrating real-world exploitability. The findings directly informed policy updates by Mozilla and Google, strengthening extension review policies. This work contributes a reusable methodology and empirically validated benchmark for assessing browser extension ecosystem security.

Browser extensions are additional tools developed by third parties that integrate with web browsers to extend their functionality beyond standard capabilities. However, the browser extension platform is increasingly being exploited by hackers to launch sophisticated cyber threats. These threats encompass a wide range of malicious activities, including but not limited to phishing, spying, Distributed Denial of Service (DDoS) attacks, email spamming, affiliate fraud, malvertising, and payment fraud. This paper examines the evolving threat landscape of malicious browser extensions in 2025, focusing on Mozilla Firefox and Chrome. Our research successfully bypassed security mechanisms of Firefox and Chrome, demonstrating that malicious extensions can still be developed, published, and executed within the Mozilla Add-ons Store and Chrome Web Store. These findings highlight the persisting weaknesses in browser's vetting process and security framework. It provides insights into the risks associated with browser extensions, helping users understand these threats while aiding the industry in developing controls and countermeasures to defend against such attacks. All experiments discussed in this paper were conducted in a controlled laboratory environment by the researchers, adhering to proper ethical guidelines. The sole purpose of these experiments is to raise security awareness among the industry, research community, and the general public.